Spread our blog

How to Configure a Scripted Data Input Using a PS1 or PowerShell Script?

So we have a PowerShell script, which will generate statistics related to processes running on my windows system.

The script (getprocess.ps1) is down below,

Get-Process | Sort-Object CPU -Descending

NOTE: You can run the given script in your PowerShell to test whether you have all the required permissions to view process-related statistics or not. If not then talk with your group owner to pass on the required permissions. Otherwise, it is not gonna work.

We will configure this scripted input within the “search” app. So let’s go to the following path,

C:\Program Files\Splunk\etc\apps\search\bin

And paste this following cmd script in the location.

Name of the script: “runpowershell.cmd

@ECHO OFF

:: ######################################################
:: #
:: # Splunk for Microsoft Windows
:: # 
:: # Copyright (C) 2019 Splunk, Inc.
:: # All Rights Reserved
:: #
:: ######################################################

set SplunkApp=Splunk_TA_windows

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -executionPolicy RemoteSigned -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%1'"

Then create a folder called “powershell” and within that “powershell” folder place your “getprocess.ps1” script.

Location of “getprocess.ps1” script :

C:\Program Files\Splunk\etc\apps\search\bin\powershell

Now go to your Splunk UI and login with your credentials.

After that click on Settings and Data Inputs

Then scroll down and click on “scripts” and “new local script

Script path: choose script path from the dropdown

Script name: choose “runpowershell.cmd”

Command: $SPLUNK_HOME\etc\apps\search\bin\runpowershell.cmd getprocess.ps1

NOTE: Under Command don’t forgot to keep space between “runpowershell.cmd” and “getprocess.ps1”

Interval: choose interval

And click on Next.

Then choose all meta information like sourcetype, index, and app context.

You can also know about :  DELIMS

Then click on review and search for your data.

NOTE: “runpowershell.cmd” is a required script to add any ps1 or PowerShell scripted input in Splunk. “runpowershell.cmd” will launch the powershell.exe application to execute the necessary script.

Download runpowershell.cmdDownload
Download getprocess.ps1Download

Hope all enjoyed this blog “Configure a Scripted Data Input Using a PS1 or PowerShell Script“. see you all on to the next one, till then stay safe and maintain physical distance, wear a mask and sanitize to avoid the omicron virus to spread.

Happy splunking!!

What’s your Reaction?
+1
1
+1
+1
+1
+1
2
+1
+1

Spread our blog

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here